Paul Jakma said:
> > BTW Paul are you serious about older versions of pine running attached
> > shell scripts?? That's *so* broken.
>> not quite as bad as that. :)
> but older versions of pine had a mime-parsing bug, which meant it was
> possible to get pine to run arbitrary shell commands by sending it the
> right mime-headers. :(
I remember that one. but that's not quite in the same boat as the
running-attached-shell-script issue...
automatically running attached shell script or vbs file = stupid stupid
mailreader
bug in MIME parsing = whoops! bad code, but not quite stupid
And that "UNIX virus" mail claimed "It contains (sic) of a so-called shell
script which, when executed [...]" rather than mentioning overflowing
buffers or exploiting a bug...
I agree that theoretically you could set up a UNIX mail virus, but without
a really really badly designed security model overall (viz Outlook and
Windows) it's not going to get very far if it has to rely on various
buffer overflows and bugs in a myriad of different mailreader versions to
get itself run.
> (wouldn't be surprised if similar bugs existed in other unix mail handlers
> that parsed mime).
yep, there was a buffer overflow if I recall correctly, found in nmh a
coupla months ago :( Of course a fix was released in a few days and all
the vendors have binaries for it on their websites.
--j.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
